osquery 5.10.2 segfault on macOS, maybe `genFirefoxAddons`

Question

osquery 5.10.2 segfault on macOS, maybe `genFirefoxAddons`

Closed this issue 5 months ago · 3 comments

Bug report

One of my coworkers was running launcher from the command line., and osquery segfaulted. Given that it's an osquery segfault, I suspect it's unrelated to launcher.

What operating system and version are you using?

macOS 14.2.1 (23C71)

What version of osquery are you using?

osqueryd version 5.10.2

What did you see instead?

-------------------------------------
Translated Report (Full Report Below)
-------------------------------------

Process:               osqueryd [37724]
Path:                  /usr/local/kolide-k2/bin/osqueryd-updates/1698153717/osquery.app/Contents/MacOS/osqueryd
Identifier:            io.osquery.agent
Version:               5.10.2 (5.10.2)
Code Type:             ARM-64 (Native)
Parent Process:        launcher [37706]
Responsible:           iTerm2 [1631]
User ID:               501

Date/Time:             2023-12-22 08:23:05.0844 -0600
OS Version:            macOS 14.2.1 (23C71)
Report Version:        12
Anonymous UUID:        41445983-59B1-1016-E177-7A7FAE28C347

Sleep/Wake UUID:       D537C8C5-C8F9-4BA8-A61F-F662C42A0C07

Time Awake Since Boot: 55000 seconds
Time Since Wake:       42 seconds

System Integrity Protection: enabled

Crashed Thread:        13  SchedulerRunner

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x55646e756f726760 -> 0x00006e756f726760 (possible pointer authentication failure)
Exception Codes:       0x0000000000000001, 0x55646e756f726760

Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process:   exc handler [37724]

VM Region Info: 0x6e756f726760 is not in any region.  Bytes after previous region: 15897006860129
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      MALLOC_NANO              600000000000-600020000000 [512.0M] rw-/rwx SM=PRV
--->
      UNUSED SPACE AT END


[SNIP]

Thread 13 Crashed:: SchedulerRunner
0   libsystem_platform.dylib                   0x181976dc4 _platform_strlen + 4
1   osqueryd                                   0x100e6f9ec std::__1::basic_ostream<char, std::__1::char_traits<char>>& std::__1::operator<<<std::__1::char_traits<char>>(std::__1::basic_ostream<char, std::__1::char_traits<char>>&, char const*) + 48
2   osqueryd                                   0x1013b4a14 osquery::tables::genFirefoxAddonsFromExtensions(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::vector<std::__1::map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::less<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>>, std::__1::allocator<std::__1::map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::less<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>>>>&) + 1408
3   osqueryd                                   0x1013b4f80 osquery::tables::genFirefoxAddons(osquery::QueryContext&) + 380
4   osqueryd                                   0x100f45220 osquery::firefoxAddonsTablePlugin::generate(osquery::QueryContext&) + 48
5   osqueryd                                   0x100e9a4a8 osquery::tables::sqlite::xFilter(sqlite3_vtab_cursor*, int, char const*, int, sqlite3_value**) + 2372
6   osqueryd                                   0x1015e87c4 sqlite3VdbeExec + 13340
7   osqueryd                                   0x1015ba1a8 sqlite3_step + 444
8   osqueryd                                   0x100e8b554 osquery::readRows(sqlite3_stmt*, std::__1::vector<std::__1::map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, boost::variant<long long, double, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::less<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const, boost::variant<long long, double, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>>>, std::__1::allocator<std::__1::map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, boost::variant<long long, double, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::less<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const, boost::variant<long long, double, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>>>>>&, std::__1::shared_ptr<osquery::SQLiteDBInstance> const&) + 72
9   osqueryd                                   0x100e890e0 osquery::queryInternal(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::vector<std::__1::map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, boost::variant<long long, double, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::less<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const, boost::variant<long long, double, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>>>, std::__1::allocator<std::__1::map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, boost::variant<long long, double, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::less<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const, boost::variant<long long, double, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>>>>>&, std::__1::shared_ptr<osquery::SQLiteDBInstance> const&) + 240
10  osqueryd                                   0x100e88f54 osquery::SQLInternal::SQLInternal(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, bool) + 112
11  osqueryd                                   0x10100ba54 osquery::monitor(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, osquery::ScheduledQuery const&) + 600
12  osqueryd                                   0x10100bef4 osquery::launchQuery(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, osquery::ScheduledQuery const&) + 320
13  osqueryd                                   0x10100dd9c std::__1::__function::__func<osquery::SchedulerRunner::start()::$_0, std::__1::allocator<osquery::SchedulerRunner::start()::$_0>, void (std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, osquery::ScheduledQuery const&)>::operator()(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&&, osquery::ScheduledQuery const&) + 108
14  osqueryd                                   0x100ec4f9c osquery::Config::scheduledQueries(std::__1::function<void (std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, osquery::ScheduledQuery const&)>, bool) const + 528
15  osqueryd                                   0x10100ca9c osquery::SchedulerRunner::start() + 140
16  osqueryd                                   0x101593150 osquery::InternalRunnable::run() + 108
17  osqueryd                                   0x101594388 void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct>>, std::__1::__bind<void (osquery::InternalRunnable::*)(), osquery::InternalRunnable*>>>(void*) + 84
18  libsystem_pthread.dylib                    0x18194a034 _pthread_start + 136
19  libsystem_pthread.dylib                    0x181944e3c thread_start + 8

osquery_crash_report.txt

osqueryd-2023-12-22-092843.ips.json

Answer 1 · 2023-12-22T20:04:24.000Z

I could not reproduce the exact stack trace even with a Release build, either way I got a crash.
It's possible to double check that my fix in #8227 does it?

Answer 2 · 2023-12-22T20:46:19.000Z

I found a second one, updating the PR...

Answer 3 · 2023-12-22T21:16:29.000Z

We couldn't easily reproduce the crash. (So I'm not going to be able validate a fix)